edtFTPnet/PRO - Secure FTP component for .NET | Free Trial | Pricing

Private Key Access Problems

When using edtFTPnet/PRO in a Windows service or Web application, sometimes developers get exceptions related to access to the private key. This is caused by the very stringent security requirements Windows places on access to private keys - Windows does not permit the account that the system is running under permission to read the private key that has previously been loaded into a Windows Certificate store.

The solution is to create the private key and certificate for the localMachine user (instead of the user that the developer is logged in as). This may be done as follows:

  1. Use MakeCert (see Note A below) to create a private key and a self-signed certificate, and place it directly into the localMachine certificate store.
  2. Start up the Certificates MMC Snap-In for the localMachine user (see Note B below).
  3. Export the certificate and private key as a single PFX file (see Note C below).
  4. In the application code, use the SSLFTPCertificate.CreateFromPFX(string,string)method to read in the PFX file.
  5. Use the Certificates MMC Snap-In to export the same certificate (without the key) in a format compatible with your FTP server.
  6. Import the certificate into your FTP server's certificate store.

Note A

Use the following command (substituting the correct CN)

      makecert -r -pe -n "CN=www.yourwebserver.cm" -b 01/01/2000
      -e 01/01/2036 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine
      -sky exchange -sy 12
      -sp "Microsoft RSA SChannel Cryptographic Provider"

The MakeCert is a part of the Platform SDK. Older versions of the MakeCert utility don't support the -pe option so make sure that you have the latest version.

Note B

To access the certificate MMC snap-in on Windows:

  1. At a command prompt open MMC by typing "mmc <enter>".
  2. Select "File | Add Remove Snap-in..."
  3. Press "Add..."
  4. Select "Certificates".
  5. Select "Computer account".
  6. Select "Local computer".
  7. Press "Close"
  8. Press "OK"
  9. Open "Console Root | Certificates (Local Computer) | Personal | Certificates".
  10. You should see the certificate you just created. Right-click on it and select "All tasks | Export...".

Note C

To export the private key and certificate using the certificate MMC snap-on:

  1. Open "Console Root | Certificates (Local Computer) | Personal | Certificates".
  2. You should see the certificate you just created. Right-click on it and select "All tasks | Export...".
  3. Select "Yes, export the private key" and press Next.
  4. Press Next again.
  5. Type in a password twice and press Next.
  6. Select a file-name and press Next.
  7. Press "Finish".

Next: Obtaining Keys and Certificates